Apple tries to kill its own Java on most Macs

Pushes users to deal with Oracle, which maintains Java 7 for OS X

Senior Reporter, Computerworld |

Apple yesterday started scrubbing about Macs of older Java browser plug-ins, a movement that volition force users to download the software from Oracle. The company also patched Java for Os X, the second time Apple synchronized its Java security update with Oracle'due south, releasing its patches for Os X the same day as the Coffee software maker.

Forth with the Java patches, Apple tree beefed by Bone X security by uninstalling one-time browser plug-ins for the software.

The update aimed at Panthera leo and Mount Panthera leo --which collectively accounted for sixty% of all Macs last month -- zaps plug-ins provided by Apple via Java half-dozen and earlier.

"This update uninstalls the Apple-provided Java applet plug-in from all Web browsers," Apple tree said in a support document.

Apple tree's Java update for Snow Leopard did something different: "On systems that have not already installed Coffee for Mac Os X x.6 update 9 or later, this update will configure Web browsers to non automatically run Java applets," Apple stated.

After the Lion and Mountain Lion update is practical, users who browse to websites that require Coffee will see the message "Missing plug-in," and tin and then proceed to the Oracle site to download the newest version of Java 7 and its browser plug-in.

Apple has been ratcheting up efforts to eliminate some plug-ins, notably Adobe's Wink Player and Oracle'south Java, after hundreds of thousands of Macs were infected past the Flashback Trojan horse final March and April.

The company reacted with several measures, including blocking older versions of Wink. Earlier, Apple had made like moves on Java, first blocking automatic execution of the Oracle plug-in, and then post-obit that with a patch that automatically disabled the plug-in if it had not been run in the past 35 days.

Wolfgang Kandek, CTO of Qualys, saw Wednesday's plug-in elimination as both a security enhancement and an attempt by Apple to push customers towards Oracle as the distributor of Java.

"[This] might be office of the migration to a Java completely provided by Oracle," said Kandek via instant bulletin today. "It will [also] enhance security, and reduce the number of web-attainable Java installations on Macs."

Apple stopped bundling Java with OS X starting with 2011's Lion; this year's Mountain Lion also omitted Coffee. The Cupertino, Calif. company is still responsible for patching Java half dozen and earlier, but Oracle takes intendance of Bone X users running Java 7.

While King of beasts and Mountain Lion did non include Java, users may have installed it themselves: When a browser encounters a Java applet, Os X asks for permission to download the Oracle software. People running the older Snow Leopard (2009) and Leopard (2007) have Coffee installed by default.

Apple took other measures to shove Mac owners towards Oracle, including removing Java options from the Preferences window.

Along with the anti-Java plug-in maneuver, Apple also shipped two Java updates, dubbed Java for Mac OS X 10.6 Update 11 and Java for OS X 2012-006, that patched 20 critical vulnerabilities on Bone X Snow Leopard, and Os Ten Lion and Mountain Lion, respectively.

Oracle patched the same 20 bugs -- and 10 more for practiced measure -- on Wednesday for Windows. The firm updated Java v, 6 and 7 for Windows, and Java vii for OS X.

Adam Gowdiak, founder and CEO of Polish security house Security Explorations, reported most of the bugs that Oracle patched yesterday.

Gowdiak has found other Coffee vulnerabilities in the by. Earlier this year he reported more than a dozen. Months later, hackers independently uncovered ane of the bugs, then began using it in widespread attacks during August.

But neither Oracle or Apple addressed the disquisitional nil-day vulnerability that Gowdiak submitted to Oracle late last calendar month. The flaw impacted OS Ten likewise as Windows versions of the software.

According to Gowdiak, Oracle told him information technology had received the problems report as it was wrapping upwards testing of the Oct. sixteen update, and was unable to work up a set up in time. "Oracle confirm[ed] that it is on track to deliver fixes for [this bug] in the adjacent Java SE Critical Patch Update which ships in February 2013," Gowdiak wrote on his business firm's bug status website.

In the promise that he could prod Oracle to deed chop-chop concluding month, Gowdiak had gone public -- albeit minus technical details -- rather than privately reporting information technology to Oracle and waiting for the visitor to quietly patch Java. Just the strategy came up bust. "[We also asked] for the reason of sticking to Oracle'southward semi-quarterly patch release schedule, which ways [an] additional 4 months to wait for a patch for a critical security upshot in Java," Gowdiak noted. Oracle patches Java approximately every iv months. Equally Gowdiak alluded, the adjacent regularly-scheduled update is slated to ship February. xix, 2013.

The terminal time Apple tree updated Java was in early on September, when information technology fixed flaws Oracle had addressed weeks before with an emergency update that aimed to squash ambitious and widespread attacks exploiting a vulnerability.

Users running Coffee 6 and before tin grab the update for their version of Os X by triggering Software Update from the Apple menu. Coffee 7 tin can be updated past downloading the new version, Java SE Runtime Environs 7u9, from Oracle's website.

Gregg Keizer covers Microsoft, security bug, Apple tree, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail service to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

Senior Reporter Gregg Keizer covers Windows, Function, Apple tree/enterprise, spider web browsers and web apps for Computerworld.

Copyright © 2012 IDG Communications, Inc.